diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3dd6d1c06..089bd43ef 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -42,17 +42,23 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       id-token: write
-      contents: write
     env:
       TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
       TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
     if: github.repository_owner == 'discordjs'
     steps:
+      - uses: actions/create-github-app-token@v2
+        id: app-token
+        with:
+          app-id: ${{ vars.DISCORDJS_APP_ID }}
+          private-key: ${{ secrets.DISCORDJS_APP_KEY_RELEASE }}
+          permission-contents: write
+
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
+          token: ${{ steps.app-token.outputs.token }}
           ref: ${{ inputs.ref || '' }}
-          ssh-key: ${{ secrets.DEPLOY_KEY_CI_RELEASE_TAGS }}
 
       - name: Install Node.js v22
         uses: actions/setup-node@v4
@@ -74,4 +80,4 @@ jobs:
           dry: ${{ inputs.dry_run }}
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
diff --git a/packages/actions/src/releasePackages/releasePackage.ts b/packages/actions/src/releasePackages/releasePackage.ts
index 6a1dab232..4c42a828a 100644
--- a/packages/actions/src/releasePackages/releasePackage.ts
+++ b/packages/actions/src/releasePackages/releasePackage.ts
@@ -18,20 +18,19 @@ async function checkRegistry(release: ReleaseEntry) {
 
 async function gitTagAndRelease(release: ReleaseEntry, dry: boolean) {
 	const tagName = `${release.name === 'discord.js' ? `` : `${release.name}@`}${release.version}`;
-	// Don't throw, if this exits non-zero it's probably because the tag already exists
-	await $`git tag ${tagName}`.nothrow();
 
 	if (dry) {
-		info(`[DRY] Tag "${tagName}" created, skipping push and release creation.`);
+		info(`[DRY] Release would be "${tagName}", skipping release creation.`);
 		return;
 	}
 
-	await $`git push origin ${tagName}`;
+	const commitHash = (await $`git rev-parse --short HEAD`.text()).trim();
 
 	try {
 		await octokit?.rest.repos.createRelease({
 			...context.repo,
 			tag_name: tagName,
+			target_commitish: commitHash,
 			name: tagName,
 			body: release.changelog ?? '',
 			generate_release_notes: release.changelog === undefined,